Search Results

Search found 43347 results on 1734 pages for 'php security'.

Page 15/1734 | < Previous Page | 11 12 13 14 15 16 17 18 19 20 21 22  | Next Page >

  • Security implications of writing files using PHP

    - by susmits
    I'm currently trying to create a CMS using PHP, purely in the interest of education. I want the administrators to be able to create content, which will be parsed and saved on the server storage in pure HTML form to avoid the overhead that executing PHP script would incur. Unfortunately, I could only think of a few ways of doing so: Setting write permission on every directory where the CMS should want to write a file. This sounds like quite a bad idea. Setting write permissions on a single cached directory. A PHP script could then include or fopen/fread/echo the content from a file in the cached directory at request-time. This could perhaps be carried out in a Mediawiki-esque fashion: something like index.php?page=xyz could read and echo content from cached/xyz.html at runtime. However, I'll need to ensure the sanity of $_GET['page'] to prevent nasty variations like index.php?page=http://www.bad-site.org/malicious-script.js. I'm personally not too thrilled by the second idea, but the first one sounds very insecure. Could someone please suggest a good way of getting this done?

    Read the article

  • What's the best technique to protect my framework from visitors who are not logged in?

    - by Hermet
    First of all, I would like to say that I have used the search box looking for a similar question and was unsuccessful, maybe because of my poor english skills. I have a a 'homemade' framework. I have certain PHP files that must only be visible for the admin. The way I currently do this is check within every single page to see if a session has been opened. If not, the user gets redirected to a 404 page, to seem like the file which has been requested doesn't exist. I really don't know if this is guaranteed to work or if there's a better and more safe way because I'm currently working with kind of confidential data that should never become public. Could you give me some tips? Or leave a link where I could find some? Thank you very much, and again excuse me for kicking the dictionary. EDIT What I usually write in the top of each file is something like this <?php include("sesion.php"); $rs=comprueba(); //'check' if ($rs==1) { ?> And then, at the end <?php } ?> Is it such a butched job, isn't it? EDIT Let's say I have a customers list in a file named customers.php That file may be currently on http://www.mydomain.com/admin/customers.php and it must only be visible for the admin user. Once the admin user has been logged in, I create a session variable. That variable is what I check on the top of each page, and if it exists, the customers list is shown. If not, the user gets redirected to the 404 page. Thank you for your patience. I really appreciate.

    Read the article

  • Form Security (discussion)

    - by Eray Alakese
    I'm asking for brain storming and sharing experience. Which method you are using for form submiting security ? For example , for block automatically sended POST or GET datas, i'm using this method : // Generating random string <?php $hidden = substr(md5(microtime()) ,"-5"); ?> <form action="post.php" .... // assing this random string to a hidden input <input type="hidden" value="<?php echo $hidden;" name="secCode> // and then put this random string to a session variable $_SESSION["secCode"] = $hidden; **post.php** if ($_POST["secCode"] != $_SESSION["secCode"]) { die("You have to send this form, on our web site"); }

    Read the article

  • Apache is not interpreting .PHP files

    - by Ala ABUDEEB
    I recently downloaded OpenSUSE OS version 11.4 from the site to use it as a server..In order to do that I downloaded the server edition that has Apache/2.2.17 and PHP5 downloaded by default.....Ok till now it is fine Now I started the Apache successfully and put a test.php file in the documentRoot directory. test.php contain only <?php phpinfo() ?> Then using my browser I typed http://localhost/test.php and here was the problem the browser didn't display what phpinfo() should display, instead it asked me whether I want to open or save test.php...which is driving me crazy.... I googled a lot but no solution THis is /etc/apache2/conf.d/php5.conf (IfModule mod_php5.c) AddHandler application/x-httpd-php .php4 AddHandler application/x-httpd-php .php5 AddHandler application/x-httpd-php .php AddHandler application/x-httpd-php-source .php4s AddHandler application/x-httpd-php-source .php5s AddHandler application/x-httpd-php-source .phps DirectoryIndex index.php4 DirectoryIndex index.php5 DirectoryIndex index.php (/IfModule)

    Read the article

  • How to config PHP libxml path after updated libxml from 2.2.26 to 2.9

    - by Cauliturtle
    our servers need to update the libxml2 version from 2.2.26 to 2.9 (latest version). It is no problem that we have been installed the libxml2-2.9 version on our servers. but the problem is how can we config the libs path of libxml2 path in php? Since it still show the old version on phpinfo(). What we have do is 1. Install libxml2 2.7.X on CentOS 5.X Using yum to install local files, and typed yum info libxml2, it shows 2.9 was installed. Thanks!

    Read the article

  • How can I remove the Translation entries in apt?

    - by Lord of Time
    This is the output of aptitude update: Ign http://archive.canonical.com natty InRelease Ign http://extras.ubuntu.com natty InRelease Ign http://dl.google.com stable InRelease Ign http://security.ubuntu.com natty-security InRelease Hit http://deb.torproject.org natty InRelease Get:1 http://dl.google.com stable Release.gpg [198 B] Ign http://us.archive.ubuntu.com natty InRelease Ign http://us.archive.ubuntu.com natty-updates InRelease Hit http://archive.canonical.com natty Release.gpg Hit http://extras.ubuntu.com natty Release.gpg Hit http://security.ubuntu.com natty-security Release.gpg Hit http://us.archive.ubuntu.com natty Release.gpg Hit http://security.ubuntu.com natty-security Release Hit http://archive.canonical.com natty Release Hit http://extras.ubuntu.com natty Release Get:2 http://dl.google.com stable Release [1,338 B] Hit http://us.archive.ubuntu.com natty-updates Release.gpg Hit http://security.ubuntu.com natty-security/main Sources Hit http://archive.canonical.com natty/partner amd64 Packages Hit http://deb.torproject.org natty/main amd64 Packages Hit http://extras.ubuntu.com natty/main Sources Hit http://us.archive.ubuntu.com natty Release Hit http://security.ubuntu.com natty-security/restricted Sources Hit http://security.ubuntu.com natty-security/universe Sources Hit http://security.ubuntu.com natty-security/multiverse Sources Hit http://security.ubuntu.com natty-security/main amd64 Packages Hit http://security.ubuntu.com natty-security/restricted amd64 Packages Ign http://archive.canonical.com natty/partner TranslationIndex Hit http://extras.ubuntu.com natty/main amd64 Packages Ign http://extras.ubuntu.com natty/main TranslationIndex Hit http://security.ubuntu.com natty-security/universe amd64 Packages Hit http://security.ubuntu.com natty-security/multiverse amd64 Packages Ign http://security.ubuntu.com natty-security/main TranslationIndex Ign http://security.ubuntu.com natty-security/multiverse TranslationIndex Ign http://security.ubuntu.com natty-security/restricted TranslationIndex Ign http://deb.torproject.org natty/main TranslationIndex Ign http://security.ubuntu.com natty-security/universe TranslationIndex Hit http://us.archive.ubuntu.com natty-updates Release Hit http://us.archive.ubuntu.com natty/main Sources Hit http://us.archive.ubuntu.com natty/restricted Sources Hit http://us.archive.ubuntu.com natty/universe Sources Hit http://us.archive.ubuntu.com natty/multiverse Sources Hit http://us.archive.ubuntu.com natty/main amd64 Packages Hit http://us.archive.ubuntu.com natty/restricted amd64 Packages Hit http://us.archive.ubuntu.com natty/universe amd64 Packages Hit http://us.archive.ubuntu.com natty/multiverse amd64 Packages Ign http://us.archive.ubuntu.com natty/main TranslationIndex Ign http://us.archive.ubuntu.com natty/multiverse TranslationIndex Ign http://us.archive.ubuntu.com natty/restricted TranslationIndex Ign http://us.archive.ubuntu.com natty/universe TranslationIndex Hit http://us.archive.ubuntu.com natty-updates/main Sources Hit http://us.archive.ubuntu.com natty-updates/restricted Sources Hit http://us.archive.ubuntu.com natty-updates/universe Sources Get:3 http://dl.google.com stable/main amd64 Packages [469 B] Ign http://dl.google.com stable/main TranslationIndex Hit http://us.archive.ubuntu.com natty-updates/multiverse Sources Hit http://us.archive.ubuntu.com natty-updates/main amd64 Packages Hit http://us.archive.ubuntu.com natty-updates/restricted amd64 Packages Hit http://us.archive.ubuntu.com natty-updates/universe amd64 Packages Hit http://us.archive.ubuntu.com natty-updates/multiverse amd64 Packages Ign http://us.archive.ubuntu.com natty-updates/main TranslationIndex Ign http://us.archive.ubuntu.com natty-updates/multiverse TranslationIndex Ign http://us.archive.ubuntu.com natty-updates/restricted TranslationIndex Ign http://us.archive.ubuntu.com natty-updates/universe TranslationIndex Ign http://archive.canonical.com natty/partner Translation-en_US Ign http://extras.ubuntu.com natty/main Translation-en_US Ign http://extras.ubuntu.com natty/main Translation-en Ign http://archive.canonical.com natty/partner Translation-en Ign http://security.ubuntu.com natty-security/main Translation-en_US Ign http://security.ubuntu.com natty-security/main Translation-en Ign http://security.ubuntu.com natty-security/multiverse Translation-en_US Ign http://security.ubuntu.com natty-security/multiverse Translation-en Ign http://security.ubuntu.com natty-security/restricted Translation-en_US Ign http://security.ubuntu.com natty-security/restricted Translation-en Ign http://security.ubuntu.com natty-security/universe Translation-en_US Ign http://security.ubuntu.com natty-security/universe Translation-en Ign http://ppa.launchpad.net natty InRelease Ign http://ppa.launchpad.net natty InRelease Ign http://ppa.launchpad.net natty InRelease Ign http://ppa.launchpad.net natty InRelease Ign http://ppa.launchpad.net natty InRelease Hit http://ppa.launchpad.net natty Release.gpg Hit http://ppa.launchpad.net natty Release.gpg Hit http://ppa.launchpad.net natty Release.gpg Hit http://ppa.launchpad.net natty Release.gpg Hit http://ppa.launchpad.net natty Release.gpg Hit http://ppa.launchpad.net natty Release Ign http://dl.google.com stable/main Translation-en_US Hit http://ppa.launchpad.net natty Release Hit http://ppa.launchpad.net natty Release Hit http://ppa.launchpad.net natty Release Hit http://ppa.launchpad.net natty Release Ign http://dl.google.com stable/main Translation-en Hit http://ppa.launchpad.net natty/main Sources Hit http://ppa.launchpad.net natty/main amd64 Packages Ign http://ppa.launchpad.net natty/main TranslationIndex Hit http://ppa.launchpad.net natty/main Sources Hit http://ppa.launchpad.net natty/main amd64 Packages Ign http://ppa.launchpad.net natty/main TranslationIndex Hit http://ppa.launchpad.net natty/main Sources Hit http://ppa.launchpad.net natty/main amd64 Packages Ign http://ppa.launchpad.net natty/main TranslationIndex Hit http://ppa.launchpad.net natty/main Sources Hit http://ppa.launchpad.net natty/main amd64 Packages Ign http://ppa.launchpad.net natty/main TranslationIndex Hit http://ppa.launchpad.net natty/main Sources Ign http://us.archive.ubuntu.com natty/main Translation-en_US Ign http://us.archive.ubuntu.com natty/main Translation-en Hit http://ppa.launchpad.net natty/main amd64 Packages Ign http://ppa.launchpad.net natty/main TranslationIndex Ign http://us.archive.ubuntu.com natty/multiverse Translation-en_US Ign http://us.archive.ubuntu.com natty/multiverse Translation-en Ign http://us.archive.ubuntu.com natty/restricted Translation-en_US Ign http://us.archive.ubuntu.com natty/restricted Translation-en Ign http://us.archive.ubuntu.com natty/universe Translation-en_US Ign http://us.archive.ubuntu.com natty/universe Translation-en Ign http://us.archive.ubuntu.com natty-updates/main Translation-en_US Ign http://us.archive.ubuntu.com natty-updates/main Translation-en Ign http://us.archive.ubuntu.com natty-updates/multiverse Translation-en_US Ign http://us.archive.ubuntu.com natty-updates/multiverse Translation-en Ign http://us.archive.ubuntu.com natty-updates/restricted Translation-en_US Ign http://us.archive.ubuntu.com natty-updates/restricted Translation-en Ign http://us.archive.ubuntu.com natty-updates/universe Translation-en_US Ign http://us.archive.ubuntu.com natty-updates/universe Translation-en Ign http://ppa.launchpad.net natty/main Translation-en_US Ign http://ppa.launchpad.net natty/main Translation-en Ign http://ppa.launchpad.net natty/main Translation-en_US Ign http://ppa.launchpad.net natty/main Translation-en Ign http://archive.getdeb.net natty-getdeb InRelease Ign http://ppa.launchpad.net natty/main Translation-en_US Ign http://ppa.launchpad.net natty/main Translation-en Ign http://ppa.launchpad.net natty/main Translation-en_US Ign http://ppa.launchpad.net natty/main Translation-en Ign http://ppa.launchpad.net natty/main Translation-en_US Ign http://ppa.launchpad.net natty/main Translation-en Hit http://archive.getdeb.net natty-getdeb Release.gpg Hit http://archive.getdeb.net natty-getdeb Release Ign http://deb.torproject.org natty/main Translation-en_US Ign http://deb.torproject.org natty/main Translation-en Hit http://archive.getdeb.net natty-getdeb/apps amd64 Packages Ign http://archive.getdeb.net natty-getdeb/apps TranslationIndex Ign http://archive.getdeb.net natty-getdeb/apps Translation-en_US Ign http://archive.getdeb.net natty-getdeb/apps Translation-en Fetched 2,005 B in 45s (44 B/s) Reading package lists... Is there any way I can get rid of the Translation stuff? I'm tired of it resulting in tons of repository checks rather than it checking far less repositories (69 actual repos vs. 169 checks)

    Read the article

  • Should I be using a JavaScript SPA designed when security is important

    - by ryanzec
    I asked something kind of similar on stackoverflow with a particular piece of code however I want to try to ask this in a broader sense. So I have this web application that I have started to write in backbone using a Single Page Architecture (SPA) however I am starting to second guess myself because of security. Now we are not storing and sending credit card information or anything like that through this web application but we are storing sensitive information that people are uploading to us and will have the ability to re-download too. The obviously security concern that I have with JavaScript is that you can't trust anything that comes from JavaScript however in a Backbone SPA application, everything is being sent through JavaScript. There are two security features that I will have to build in JavaScript; permissions and authentication. The authentication piece is just me override the Backbone.Router.prototype.navigate method to check the fragment it is trying to load and if the JavaScript application.session.loggedIn is not set to true (and they are not viewing a none authenticated page), they are redirected to the login page automatically. The user could easily modify application.session.loggedIn to equal true (or modify Backbone.Router.prototype.navigate method) but then they would also have to not so easily dynamically embedded a link into the page (or modify a current one) that has the proper classes, data-* attributes, and href values to then load a page that should only be loaded when they user has logged in (and has the permissions). So I have an acl object that deals with the permissions stuff. All someone would have to do to view pages or parts of pages they should not be able to is to call acl.addPermission(resource, permission) with the proper permissions or modify the acl.hasPermission() to always return true and then navigate away and then back to the page. Now certain things is EMCAScript 5 like Object.seal() or Object.freeze() would help with some of this however we have to support IE 8 which does not support those pieces of functionality. Now the REST API also performs security checks on every request so technically even if they are able to see parts of the interface that they should not be able to, they still should not be able to actually affect any data. The main benefits for me in developing a JavaScript SPA application is that the application is a lot more responsive since it is only transferring the minimum amount of JSON data for the requested action and performing the minimum amount of work too. There are also other things that I think are beneficial like you are going to have to develop an API for the data (which is good if you want expand your application to different platforms/technologies) or their is more of a separation between front-end and back-end however if security is a concern, it is really wise to go down the road of a JavaScript SPA application for the front-end?

    Read the article

  • Which Free Online Antivirus Scanner is the Best? [Comparison Test and Results]

    - by Asian Angel
    There are times when an online or supplementary scanner can be very useful when cleaning up an infected computer or just to get a second opinion on the security of your system. With this purpose in mind, the good folks over at the 7 Tutorials blog decided to do a test using the ten most popular online security scanners to see what worked the best and what did not. The following scanners were used for the test: Bitdefender QuickScan, BullGuard Online Scanner, Comodo Cloud Scanner, ESET Free Online Scanner, F-Secure Online Scanner, Kaspersky Security Scan, McAfee Security Scan Plus, Norton Security Scan, Panda ActiveScan and Trend Micro HouseCall. Are there any online or supplementary scanners that you use and depend on? Do you agree or disagree with the results? Let us know in the comments! Test Comparison – What is the Best Free Online Antivirus Scanner? [7 Tutorials] HTG Explains: Why Linux Doesn’t Need Defragmenting How to Convert News Feeds to Ebooks with Calibre How To Customize Your Wallpaper with Google Image Searches, RSS Feeds, and More

    Read the article

  • What PHP configuration and extensions are recommended for speed, efficiency and security?

    - by Sanoj
    I am setting up an Ubuntu server with nginx and PHP. I have read about many different configurations and extensions that could be added and it is pretty hard to know about all of them. I would like to hear from you, sysadmins, what PHP configuration and extensions do you recommend? I have read about: Suhosin for security Alternative PHP Cache for speed and efficiency Memcache for speed and efficiency PHP FastCGI Process Manager for speed and efficiency But I have no idea if they are good or not, and if I should use them together.

    Read the article

  • PHP CodeSniffer: indentation of 2 is ignored, it just checks 4

    - by Olivier Pons
    # phpcs --version PHP_CodeSniffer version 1.3.3 (stable) by Squiz Pty Ltd. (http://www.squiz.net) # Trying to do this: phpcs --tab-width=2 includes/json/item/categorie.php FOUND 29 ERROR(S) AND 3 WARNING(S) AFFECTING 24 LINE(S) Doesn't work. This doesn't work too: phpcs includes/json/item/categorie.php --tab-width=2 FOUND 29 ERROR(S) AND 3 WARNING(S) AFFECTING 24 LINE(S) If I indent the file with 4 spaces (which I don't want): phpcs --tab-width=2 includes/json/item/categorie.php FOUND 4 ERROR(S) AND 3 WARNING(S) AFFECTING 17 LINE(S) phpcs --tab-width=4 includes/json/item/categorie.php FOUND 4 ERROR(S) AND 3 WARNING(S) AFFECTING 17 LINE(S) phpcs --tab-width=50 includes/json/item/categorie.php FOUND 4 ERROR(S) AND 3 WARNING(S) AFFECTING 17 LINE(S) phpcs includes/json/item/categorie.php --tab-width=50 FOUND 4 ERROR(S) AND 3 WARNING(S) AFFECTING 17 LINE(S) So it's totally ignored. It this a bug?

    Read the article

  • TDE Tablespace Encryption 11.2.0.1 Certified with EBS 11i

    - by Steven Chan
    Oracle Advanced Security is an optional licenced Oracle 11g Database add-on.  Oracle Advanced Security Transparent Data Encryption (TDE) offers two different features:  column encryption and tablespace encryption.  TDE Tablespace Encryption 11.2.0.1 is now certified with Oracle E-Business Suite Release 11i. What is Transparent Data Encryption (TDE) ? Oracle Advanced Security Transparent Data Encryption (TDE) allows you to protect data at rest. TDE helps address privacy and PCI requirements by encrypting personally identifiable information (PII) such as Social Security numbers and credit card numbers. TDE is completely transparent to existing applications with no triggers, views or other application changes required. Data is transparently encrypted when written to disk and transparently decrypted after an application user has successfully authenticated and passed all authorization checks. Authorization checks include verifying the user has the necessary select and update privileges on the application table and checking Database Vault, Label Security and Virtual Private Database enforcement policies.

    Read the article

  • Where to draw the line between development-led security and administration-led security?

    - by haylem
    There are cases where you have the opportunity, as a developer, to enforce stricter security features and protections on a software, though they could very well be managed at an environmental level (ie, the operating system would take care of it). Where would you say you draw the line, and what elements do you factor in your decision? Concrete Examples User Management is the OS's responsibility Not exactly meant as a security feature, but in a similar case Google Chrome used to not allow separate profiles. The invoked reason (though it now supports multiple profiles for a same OS user) used to be that user management was the operating system's responsibility. Disabling Web-Form Fields A recurrent request I see addressed online is to have auto-completion be disabled on form fields. Auto-completion didn't exist in old browsers, and was a welcome feature at the time it was introduced for people who needed to fill in forms often. But it also brought in some security concerns, and so some browsers started to implement, on top of the (obviously needed) setting in their own preference/customization panel, an autocomplete attribute for form or input fields. And this has now been introduced into the upcoming HTML5 standard. For browsers who do not listen to this attribute, strange hacks *\ are offered, like generating unique IDs and names for fields to avoid them from being suggested in future forms (which comes with another herd of issues, like polluting your local auto-fill cache and not preventing a password from being stored in it, but instead probably duplicating its occurences). In this particular case, and others, I'd argue that this is a user setting and that it's the user's desire and the user's responsibility to enable or disable auto-fill (by disabling the feature altogether). And if it is based on an internal policy and security requirement in a corporate environment, then substitute the user for the administrator in the above. I assume it could be counter-argued that the user may want to access non-critical applications (or sites) with this handy feature enabled, and critical applications with this feature disabled. But then I'd think that's what security zones are for (in some browsers), or the sign that you need a more secure (and dedicated) environment / account to use these applications. * I obviously don't deny the ingenuity of the people who were forced to find workarounds, just the necessity of said workarounds. Questions That was a tad long-winded, so I guess my questions are: Would you in general consider it to be the application's (hence, the developer's) responsiblity? Where do you draw the line, if not in the "general" case?

    Read the article

  • New security configuration flag in UCM PS3

    - by kyle.hatlestad
    While the recent Patch Set 3 (PS3) release was mostly focused on bug fixes and such, a new configuration flag was added for security. In 10gR3 and prior versions, UCM had a component called Collaboration Manager which allowed for project folders to be created and groups of users assigned as members to collaborate on documents. With this component came access control lists (ACL) for content and folders. Users could assign specific security rights on each and every document and folder within a project. And it was possible to enable these ACL's without having the Collaboration Manager component enabled. But it took some special instructions (see technote# 603148.1) and added some extraneous pieces still related to Collaboration Manager. When 11g came out, Collaboration Manager was no longer available. But the configuration settings to turn on ACLs were still there. Well, in PS3 they've been cleaned up a bit and a new configuration flag has been added to simply turn on the ACL fields and none of the other collaboration bits. To enable ACLs: UseEntitySecurity=true Along with this configuration flag to turn ACLs on, you also need to define which Security Groups will honor the ACL fields. If an ACL is applied to a content item with a Security Group outside this list, it will be ignored. SpecialAuthGroups=HumanResources,Legal,Marketing Save the settings and restart the instance. Upon restart, two new metadata fields will be created: xClbraUserList, xClbraAliasList. If you are using OracleTextSearch as the search indexer, be sure to run a Fast Rebuild on the collection. On the Check In, Search, and Update pages, values are added by simply typing in the value and getting a type-ahead list of possible values. Select the value, click Add and then set the level of access (Read, Write, Delete, or Admin). If all of the fields are blank, then it simply falls back to just Security Group and Account access. As for how they are stored in the metadata fields, each entry starts with it's identifier: ampersand (&) symbol for users, "at" (@) symbol for groups, and colon (:) for roles. Following that is the entity name. And at the end is the level of access in paranthesis. e.g. (RWDA). And each entry is separated by a comma. So if you were populating values through batch loader or an external source, the values would be defined this way. Detailed information on Access Control Lists can be found in the Oracle Fusion Middleware System Administrator's Guide for Oracle Content Server.

    Read the article

  • What PHP configuration and extensions are recommended for efficiency and security?

    - by Sanoj
    I am setting up an Ubuntu VPS server with nginx and PHP. I have read about many different configurations and extensions that could be added and it is pretty hard to know about all of them. I would like to hear from you, sysadmins, what PHP configuration and extensions do you recommend? I have read about: Suhosin for security Alternative PHP Cache for efficiency PHP FastCGI Process Manager for efficiency But I have no idea if they are good or not, and if I should use them together.

    Read the article

  • Mod_rewrite and urls that don't end with .php

    - by Kevin Laity
    I'm trying to use Mod_rewrite to hide the .php extensions of my pages. However, it refuses to do any rewriting unless the input url ends with .php, which makes that impossible. I can confirm that rewriting works fine as long as the url has .php at the end. RewriteRule a\.php b\.php Works, while RewriteRule a\.html b\.html does not. How can I turn off this behavior and allow it to rewrite all urls? I'm on a shared host so whatever I do has to be done from a .htaccess file. Update: There seems to be some confusion about what I'm asking here. The question is not about how to write the rule, the question is about server configuration. The rule I'm using is fine, I can test that locally. But the server I'm working with is somehow configured so that mod_rewrite doesn't attempt to rewrite anything that doesn't end with .php

    Read the article

  • Development-led security vs administration-led security in a software product?

    - by haylem
    There are cases where you have the opportunity, as a developer, to enforce stricter security features and protections on a software, though they could very well be managed at an environmental level (ie, the operating system would take care of it). Where would you say you draw the line, and what elements do you factor in your decision? Concrete Examples User Management is the OS's responsibility Not exactly meant as a security feature, but in a similar case Google Chrome used to not allow separate profiles. The invoked reason (though it now supports multiple profiles for a same OS user) used to be that user management was the operating system's responsibility. Disabling Web-Form Fields A recurrent request I see addressed online is to have auto-completion be disabled on form fields. Auto-completion didn't exist in old browsers, and was a welcome feature at the time it was introduced for people who needed to fill in forms often. But it also brought in some security concerns, and so some browsers started to implement, on top of the (obviously needed) setting in their own preference/customization panel, an autocomplete attribute for form or input fields. And this has now been introduced into the upcoming HTML5 standard. For browsers that do not listen to this attribute, strange hacks* are offered, like generating unique IDs and names for fields to avoid them from being suggested in future forms (which comes with another herd of issues, like polluting your local auto-fill cache and not preventing a password from being stored in it, but instead probably duplicating its occurences). In this particular case, and others, I'd argue that this is a user setting and that it's the user's desire and the user's responsibility to enable or disable auto-fill (by disabling the feature altogether). And if it is based on an internal policy and security requirement in a corporate environment, then substitute the user for the administrator in the above. I assume it could be counter-argued that the user may want to access non-critical applications (or sites) with this handy feature enabled, and critical applications with this feature disabled. But then I'd think that's what security zones are for (in some browsers), or the sign that you need a more secure (and dedicated) environment / account to use these applications. * I obviously don't deny the ingeniosity of the people who were forced to find workarounds, just the necessity of said workarounds. Questions That was a tad long-winded, so I guess my questions are: Would you in general consider it to be the application's (hence, the developer's) responsiblity? Where do you draw the line, if not in the "general" case?

    Read the article

  • Mod_rewrite and urls that don't end with .php

    - by Kevin Laity
    I'm trying to use Mod_rewrite to hide the .php extensions of my pages. However, it refuses to do any rewriting unless the input url ends with .php, which makes that impossible. I can confirm that rewriting works fine as long as the url has .php at the end. RewriteRule a\.php b\.php Works, while RewriteRule a\.html b\.html does not. How can I turn off this behavior and allow it to rewrite all urls? I'm on a shared host so whatever I do has to be done from a .htaccess file. Update: There seems to be some confusion about what I'm asking here. The question is not about how to write the rule, the question is about server configuration. The rule I'm using is fine, I can test that locally. But the server I'm working with is somehow configured so that mod_rewrite doesn't attempt to rewrite anything that doesn't end with .php

    Read the article

  • Whats the thing the report bugs in php?

    - by Max Hazard
    Currently I am learning php. Php is understood by browser itself right from php sdk right? SDK include libraries right? So browser is like an interpreter of php codes. I want to know that whenever I type a wrong php syntax what is the thing report me the error? Obviously the browser is reporting the error. But what part of it? I mean I don't get it. Like writing a compiler we do lexical analysis and make the compiler which report any bug in source code. I assume here browser is analogous to compiler. I don't know exactly but compiler contains bug report functions or methods which is debugger. Debugger is part of compiler which report bugs. Does the browser contains such debuggers? Can there be any browser which doesn't understand php?

    Read the article

  • adding regular expression in php not work

    - by John Smiith
    Code i added ([a-zA-Z0-9\_\-]+) but not work i wan't to include all css files is there is any other way to add?? My code file css.php header("Content-type: text/css"); $css = array( '([a-zA-Z0-9\\_\\-]+).css', ); foreach ($css as $css_file) { $css_get = file_get_contents($css_file); echo $css_get; } call.php <link href="css.php" rel="stylesheet" type="text/css" /> i wan't to rewrite css.php to css.css so public can see css.css instead of css.php. how can i do that using php script?

    Read the article

  • "PHP: Good Parts"-ish book / reference

    - by julkiewicz
    Before I had my first proper contact with Javascript I read an excellent book "Javascript: The Good Parts" by Douglas Crockford. I was hoping for something similar in case of PHP. My first thought was this book: "PHP: The Good Parts" from O'Reilly However after I read the reviews it seems it totally misses the point. I am looking for a resource that would: concentrate on known shortcommings of PHP, give concrete examples, be as exhaustive as possible I already see that things can go wrong. If you want to close this question: Please consider this, I looked through SO, and Programmers for materials. I obviously found this question: http://stackoverflow.com/questions/90924/what-is-the-best-php-programming-book It's general, mine is specific. Moreover I'm reading the top recommendation "PHP Objects, Patterns, and Practice" right now. I find it insufficient -- it doesn't address the bad practices as much as I would like it to. tl;dr My question is NOT a general PHP book request.

    Read the article

  • Learning PHP OOP

    - by Ryan Murphy
    I have been coding PHP for about 2 years now and I THINK that I have a very good grasps of the fundamental parts of PHP, i.e. Functions foreach/IF statements sessions/cookies POST/GET Amongst a few others. I want to move on to learning OOP PHP now, so learning how to use classes and making it a really valuable skill. I have 1 requirement, the source must be a respected source that doesn't teach developers bad habits. I have the book: PHP and MySQL Web Development However, as useful as that is I would like an online source. I would like to know from people with experience in OOP PHP, how and where did they learn OOP PHP. Obviously by doing, but I would really appreciate some great resources which help me along the way.

    Read the article

  • Where to find PHP version usage stats?

    - by Darren Cook
    My original question was: what percentage of sites are using php 5.4.x? (As it has some very interesting new features.) With secondary questions like how many of the cheap web hosting places have upgraded, which versions of the linux distros include it, etc. But I'm coming up blanks. http://php.net/usage.php stops at July 2007, and the nexen.net website seems to have stopped in 2008. At SecuritySpace they only list the web servers, not php versions. The TIOBE link isn't what I'm after (it doesn't -- and couldn't -- break down by version number. I thought php.net might show download numbers, but I cannot see them anywhere. I kind of answered the distro question, but it requires a lot of clicking around at distrowatch.com. E.g. I see here that Ubuntu offers php 5.4.6 in the latest snapshot, but the latest release (Ubuntu 12.04) has 5.3.10.

    Read the article

  • Modern workflow / project architecture with PHP

    - by Sprottenwels
    I wonder how one professional developer would design the backend-part of his application. I try to use PHP as seldom as possible and only for data serving/saving purposes. To do so, i would create a module/class for every greater part of my application, then write some single script files which are called by javascript. E.g: User clicks a "retrieve data" button javascript will call retrieveData.php retrieveData.php will create an instance of the needed class, then executes myInstance-retrieve() the data is returned to my JS by retrieveData.php However, i see some disadvantages in this practice: I will need a single scipt file for every action, (e.g retrieveData.php, saveData.php etc) I need a man-in-the-middle step: from JS to my single script, to my classes How are modern applications designed to accomplish what i need to do?

    Read the article

  • Running mod_php and suPHP same time

    - by BHare
    I recently went from Debian Lenny with 5.2.x and was able to use mod_php for any php files that were not located in /home/ and suPHP for all the php files that were located in /home/. I did this because I needed a default php.ini (given me all features of php) for my websites in /var/www/ and I didn't want to have to change the owner of all the .php files from root. I also had a default php.ini for all the /home/ php files without dangerous features. This was I had setup: <IfModule mod_suphp.c> <Directory /home/> AddType application/x-httpd-php .php .php3 .php4 .php5 suPHP_AddHandler application/x-httpd-php suPHP_Engine on suPHP_ConfigPath /home/shared/ </Directory> </IfModule> This was working perfect, but recently I upgraded to PHP to 5.3.5 from dotdeb (Lenny has no official php 5.3) . This had weird issues on lenny such as not display errors correctly and little tid bits. So I decided to upgrade from lenny to squeeze. Uninstalled php (along with it came suphp) and reinstalled with the new source. I now have 5.3.3-7 with Debian Squeeze but I cannot get mod_php and suPHP to run at the same time anymore. mod_php will always work and there are no errors in apache2 or suphp logs. If I disabled mod_php then suPHP will work. Is there thing I am doing wrong?

    Read the article

< Previous Page | 11 12 13 14 15 16 17 18 19 20 21 22  | Next Page >